From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: chrisw@redhat.com, anbang.ruan@cs.ox.ac.uk,
qemu-devel@nongnu.org, rrelyea@redhat.com, alevy@redhat.com,
andreas.niederl@iaik.tugraz.at, serge@hallyn.com
Subject: Re: [Qemu-devel] [PATCH V8 10/14] Encrypt state blobs using AES CBC encryption
Date: Wed, 07 Sep 2011 20:16:27 -0400 [thread overview]
Message-ID: <4E68095B.60802@linux.vnet.ibm.com> (raw)
In-Reply-To: <20110907185536.GA15276@redhat.com>
On 09/07/2011 02:55 PM, Michael S. Tsirkin wrote:
> On Thu, Sep 01, 2011 at 10:23:51PM -0400, Stefan Berger wrote:
>>>> An additional 'layer' for reading and writing the blobs to the underlying
>>>> block storage is added. This layer encrypts the blobs for writing if a key is
>>>> available. Similarly it decrypts the blobs after reading.
> So a couple of further thoughts:
> 1. Raw storage should work too, and with e.g. NFS migration will be fine, right?
> So I'd say it's worth supporting.
NFS via shared storage, yes, but not migration via Qemu's block
migration mechanism. If snapshotting was supposed to be a feature to
support then that's only possible via block storage (QCoW2 in particular).
Adding plain file support to the TPM code so it can store its 3 blobs
into adds quite a bit of complexity to the code. The command line
parameter that previously pointed to QCoW2 image file would probably
have to point to a directory where files for the 3 blobs can be written
into. Besides that, snapshotting would actually have to be prevented
maybe through registering a (fake) file of other than QCoW2 type since
the plain TPM files won't handle snapshotting correctly, either, and
QEMU pretty much would have to be prevented from doing snapshotting at
all. Maybe there's an API for this, but I don't know. Though why create
this additional complexity? I don't mind relaxing the requirement of
using a QCoW2 image and allowing for example RAW images (that then
automatically prevent the snapshotting from happening) but the same code
I now have would work for writing the blobs into it the single file.
> 2. File backed nvram is interesting outside tpm.
> For example,vpd and chassis number for pci, eeprom emulation for network cards.
> Using a file per device might be inconvenient though.
> So please think of a format and API that will allow sections
> for use by different devices.
Also here 'snapshotting' is the most 'demanding' feature of QEMU I would
say. Snapshotting isn't easily supported outside of the block layer from
what I understand. Once you are tied to the block layer you end up
having to use images and those don't grow quite well. So other devices
wanting to use those type of devices would need to know what the worst
case sizes are for writing their state into -- unless an image format is
created that can grow.
As for the format: Ideally all devices could write into one file, right?
That would at least prevent too many files besides the VM's image file
from floating around which presumably makes image management easier.
Following the above, you add up all the worst case sizes the individual
devices may need for their blobs and create an image with that capacity.
Then you need some form of a (primitive?) directory that lets you write
blobs into that storage. Assuming there were well defined names for
those devices one could say for example store this blobs under the name
'tpm-permanent-state' and later on load it under that name. The possible
size of the directory would have to be considered as well... I do
something like that for the TPM where I have up to 3 such blobs that I
store.
The bad thing about the above is of course the need to know what the sum
of all the worst case sizes is. So a growable image format would be
quite good to have. I haven't followed the conversations much, but is
that something QCoW3 would support?
Crazy idea: Is there a filesystem that one could use and mount a
filesystem onto (some) sectors of an image? Again, the best format right
now is QCoW2 for this (due to snapshotting suport) where one would have
to be able to mount a filesystem onto the current snapshot's available
sectors. Then at least the handling of blobs would become a lot easier.
Though I doubt this would be possible without custom code and lots of
development.
> 3. Home-grown file formats give us enough trouble in migration.
> Could this use one of the variants of ASN.1?
> There are portable libraries to read/write that, even.
>
I am not sure what 'this' refers to. What I am doing with the TPM is
writing 3 independent blobs at certain offset into the QCoW2 block file.
A directory in the first sector holds the offsets, sizes and crc32's of
these (unencrypted) blobs.
I am not that familiar with ASN.1 except that from what I have seen it
looks like a fairly terrible format needing an object language to create
a parser from etc. not to mention the problems I had with snacc trying
to compile the ASN.1 object language of an RFC...
Stefan
next prev parent reply other threads:[~2011-09-08 0:17 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 14:35 [Qemu-devel] [PATCH V8 00/14] Qemu Trusted Platform Module (TPM) integration Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 01/14] Support for TPM command line options Stefan Berger
2011-09-01 17:14 ` Michael S. Tsirkin
2011-09-02 1:01 ` Stefan Berger
2011-09-04 16:29 ` Michael S. Tsirkin
2011-09-04 16:50 ` Michael S. Tsirkin
2011-09-01 18:14 ` Michael S. Tsirkin
2011-09-02 1:02 ` Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 02/14] Add TPM (frontend) hardware interface (TPM TIS) to Qemu Stefan Berger
2011-09-09 19:28 ` Paul Moore
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 03/14] Add persistent state handling to TPM TIS frontend driver Stefan Berger
2011-09-01 17:20 ` Michael S. Tsirkin
2011-09-02 1:12 ` Stefan Berger
2011-09-09 21:13 ` Paul Moore
2011-09-11 16:45 ` Stefan Berger
2011-09-12 21:16 ` Paul Moore
2011-09-12 23:37 ` Stefan Berger
2011-09-13 12:13 ` Paul Moore
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 04/14] Add tpm_tis driver to build process Stefan Berger
2011-09-01 17:23 ` Michael S. Tsirkin
2011-09-02 1:16 ` Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 05/14] Add a debug register Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 06/14] Add a TPM backend skeleton implementation Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 07/14] Implementation of the libtpms-based backend Stefan Berger
2011-09-01 17:27 ` Michael S. Tsirkin
2011-09-02 1:24 ` Stefan Berger
2011-09-04 16:27 ` Michael S. Tsirkin
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 08/14] Introduce file lock for the block layer Stefan Berger
2011-09-01 17:32 ` Michael S. Tsirkin
2011-09-02 1:53 ` Stefan Berger
2011-09-04 19:32 ` Michael S. Tsirkin
2011-09-06 23:55 ` Stefan Berger
2011-09-07 11:18 ` Michael S. Tsirkin
2011-09-07 13:06 ` Stefan Berger
2011-09-07 13:16 ` Michael S. Tsirkin
2011-09-07 13:56 ` Stefan Berger
2011-09-07 14:10 ` Michael S. Tsirkin
2011-09-07 14:25 ` Stefan Berger
2011-09-07 14:35 ` Michael S. Tsirkin
2011-09-07 15:06 ` Stefan Berger
2011-09-07 15:16 ` Michael S. Tsirkin
2011-09-07 16:08 ` Stefan Berger
2011-09-07 18:49 ` Michael S. Tsirkin
2011-09-08 0:31 ` Stefan Berger
2011-09-08 10:36 ` Michael S. Tsirkin
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 09/14] Add block storage support for libtpms based TPM backend Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 10/14] Encrypt state blobs using AES CBC encryption Stefan Berger
2011-09-01 19:26 ` Michael S. Tsirkin
2011-09-02 2:23 ` Stefan Berger
2011-09-04 16:58 ` Michael S. Tsirkin
2011-09-07 0:32 ` Stefan Berger
2011-09-07 11:59 ` Michael S. Tsirkin
2011-09-07 18:55 ` Michael S. Tsirkin
2011-09-08 0:16 ` Stefan Berger [this message]
2011-09-08 10:32 ` Michael S. Tsirkin
2011-09-08 12:11 ` Stefan Berger
2011-09-08 13:16 ` Michael S. Tsirkin
2011-09-08 15:27 ` Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 11/14] Experimental support for block migrating TPMs state Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 12/14] Support for taking measurements when kernel etc. are passed to Qemu Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 13/14] Add a TPM backend null driver implementation Stefan Berger
2011-09-01 17:40 ` Michael S. Tsirkin
2011-09-02 2:41 ` Stefan Berger
2011-09-04 16:42 ` Michael S. Tsirkin
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 14/14] Allow to provide inital TPM state Stefan Berger
2011-09-01 18:10 ` Michael S. Tsirkin
2011-09-01 19:01 ` Michael S. Tsirkin
2011-09-02 3:00 ` Stefan Berger
2011-09-04 16:38 ` Michael S. Tsirkin
2011-09-07 2:45 ` Stefan Berger
2011-09-07 11:23 ` Michael S. Tsirkin
2011-09-07 13:51 ` Stefan Berger
2011-09-07 13:57 ` Michael S. Tsirkin
2011-09-01 18:12 ` [Qemu-devel] [PATCH V8 00/14] Qemu Trusted Platform Module (TPM) integration Michael S. Tsirkin
2011-09-02 3:02 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E68095B.60802@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=alevy@redhat.com \
--cc=anbang.ruan@cs.ox.ac.uk \
--cc=andreas.niederl@iaik.tugraz.at \
--cc=chrisw@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rrelyea@redhat.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).